PRIVACY POLICY

Information Notice pursuant to Arts. 13–14 EU Regulation 2016/679 (GDPR) and D.Lgs. 196/2003 Last revised: 17 April 2026

At MIDI-Makers, building the world';s first global MIDI marketplace also means building it right — and that starts with how we handle your data. This Privacy Policy explains what personal data we collect when you visit www.midi-makers.com ("the site"), why we collect it, and what rights you have over it. By browsing this Site, you acknowledge that you have read and understood this policy.

1. Scope of This Policy
   This policy applies to www.midi-makers.com in its current form — an informational landing page and Beta waitlist for the myMIDI platform. At this stage, the Site does not process purchases, payments, user accounts, or shipments. Those activities will be governed by a separate, updated Privacy Policy published before the marketplace goes live. If you are already on our waitlist, we will notify you directly when that time comes.
2. Data Controller
   ‍The Data Controller is MIDI-MAKERS S.R.L., with registered office at Via Tiengo, 15 – Benevento (BN), Italy.
   
   For any privacy-related request, you can reach us at: amministrazione@midi-makers.com
   — PEC: midi-makers@pec.it
   
   No Data Protection Officer (DPO) has been appointed. Having assessed the conditions setout in Art. 37 GDPR, MIDI-MAKERS S.R.L. has determined that appointment is not currently mandatory: the Site processes personal data on a limited scale, does not handle special categories of data under Art. 9 GDPR, and does not carry out systematic, large-scale monitoring of individuals. Should a DPO be designated voluntarily or become required in the future, their contact details will be published in this policy without delay.
3. Processing Methods
   ‍The Data Controller collects the following types of Personal Data:
   ‍
   (a) Data you choose to share:
   If you fill in our contact form, we collect your name and e-mail address to respond to your inquiry. If you join the myMIDI Beta Program waitlist, we collect your name and e-mail address on the basis of the pre-contractual relationship established by your sign-up request. Providing this information is entirely voluntary in both cases — declining simply means we cannot get back to you or add you to the list. The sign-up form includes a confirmation that you are at least 14 years of age, consistent with the requirements of Art. 2-quinquies D.Lgs. 196/2003. You are responsible for ensuring that any third-party data you submit through the Site is shared with their knowledge and consent.
   ‍
   (b) Browsing data:
   When you visit the Site, our servers automatically collect technical information tied to your connection: IP address, browser type and version, operating system, pages visited, and access timestamps. This data is not used to identify you directly and is retained for a maximum of 7 days in raw form, and up to 12 months in anonymous, aggregated form for statistical purposes only.
   ‍
   (c) Cookies and similar technologies:
   This Site uses technical cookies and, with your consent, third-party analytical and socialmedia cookies. Specifically, we use Google Analytics 4 (GA4), which collects certain identifiers by default (including a client ID stored in the _ga cookie and session data).
   Unlike its predecessor, GA4 does not rely on the anonymizeIp flag; instead, it applies data minimisation at collection level and does not log full IP addresses. However, GA4 does transmit other identifiers to Google LLC (USA) as a data processor. We have entered into a Data Processing Agreement with Google LLC and rely on the EU–US Data Privacy Framework as the transfer mechanism. For full details on what cookies are set, their purpose, duration, and how to manage or withdraw your consent, please read our Cookie Policy at www.midi-makers.com/cookie-policy.
4. Why We Use Your Data and on What Legal Basis⁠
   ‍
   We process your data only for specific, clearly defined purposes:
   ‍
   Site security and operation — to keep the Site running safely and detect anomalies. Legal basis: legitimate interest of the Data Controller (Art. 6(1)(f) GDPR). Retention: 7 days (raw logs), 12 months (anonymous aggregates).
   ‍
   Responding to contact form submissions — to answer your questions and requests, where the inquiry has been voluntarily initiated by you. Legal basis: legitimate interest of the Data Controller (Art. 6(1)(f) GDPR). Retention: 6 months from the date the request is closed.
   ‍
   Beta Program waitlist and pre-launch communications —to keep you informed about the myMIDI launch and exclusive early access. Legal basis: Art. 6(1)(b) GDPR. Where communications go beyond operational pre-launch notices, the additional legal basis is explicit consent, freely given and revocable at any time (Art. 6(1)(a) GDPR). Retention: until you withdraw consent, or a maximum of 24 months from sign-up — whichever comes first.
   
   Cookie-based analytics — to measure Site traffic and improve user experience via Google Analytics 4. Legal basis: consent, collected via cookie banner prior to any non-essential cookie being set (Art. 6(1)(a) GDPR; Art. 122 D.Lgs. 196/2003). Retention: as specified in the Cookie Policy.
5. Data Retention ‍
   We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, in accordance with the principles of data minimisation and storage limitation (Art. 5(1)(e) GDPR):
   Contact form data: 6 months from closure of the request
   Beta waitlist data: until consent is withdrawn, max 24 months from sign-up
   Server logs (raw): 7 days
   Server logs (anonymised aggregates): 12 months
   Cookie analytics data (GA4 _ga cookie): 2 years — see Cookie Policy
   Legal and fiscal data (future marketplace): 10 years from transaction, pursuant to Art. 6(1)(c) GDPR
   ‍
   At the end of each retention period, data is permanently deleted or irreversibly
   anonymised. Active legal disputes may suspend retention periods until final resolution.
6. Who Can Access Your Data⁠‍
   We do not sell, trade, or rent your personal data. We may share it only to the extent strictly necessary with the following categories of service providers, all appointed as Data Processors pursuant to Art. 28 GDPR:
   Hosting and IT infrastructure providers
   Email and communication platform providers
   Web analytics providers — specifically Google LLC (USA), acting as Data
   Processor under a Data Processing Agreement for Google Analytics 4
   Legal or technical advisors, where required by applicable law
   Judicial or administrative authorities, where legally mandated
   
   A list of current Data Processors is available on request by writing to
   amministrazione@midi-makers.com.
7. International Data Transfers
   Some of our service providers are located outside the European Economic Area:
   
   Google LLC (GA4) — USA: EU–US Data Privacy Framework (DPF), EC adequacy
   decision of 10/07/2023 (Art. 45 GDPR)
   Meta Platforms (Facebook/Instagram) — USA: EU–US Data Privacy Framework
   (DPF), EC adequacy decision of 10/07/2023 (Art. 45 GDPR)
   
   You can request the full list of transfers and applicable guarantees by writing to
   amministrazione@midi-makers.com.
8. Your Rights
   Under the GDPR (Arts. 15–22) and applicable Italian law, you can ask us at any time to:
   ‍
   1. Access the data we hold about you and receive a copy of it
   2. Correct any inaccurate or incomplete information
   3. Delete your data when it is no longer needed, or if you withdraw your consent
   4. Restrict how we process your data in specific circumstances
   5. Object to processing based on our legitimate interest
   6. Port your data to another service in a structured, machine-readable format
   7. Withdraw consent at any time, without affecting the lawfulness of prior processing
   8. Lodge a complaint with the competent supervisory authority (see Section 9)
   
   To exercise any of these rights, write to: amministrazione@midi-makers.com. We will
   respond within one month (Art. 12(3) GDPR).
9. Complaints
   Garante per la protezione dei dati personali — www.garanteprivacy.it — garante@gpdp.it
   — garante@pec.gpdp.it — Piazza Venezia, 11 — 00187 Roma, Italy.
10. Security
    We apply technical and organisational measures proportionate to the risks involved: encrypted connections (HTTPS/TLS), access controls limited to authorised personnel, and regular backups. In the event of a personal data breach, we will notify the Garante within 72 hours (Art. 33 GDPR) and, where the risk is high, communicate it to you directly without undue delay (Art. 34 GDPR).
11. Minors
    This Site is not directed at individuals under the age of 14. The Beta Program sign-up form includes a mandatory confirmation checkbox stating that the user is at least 14 years of age. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at amministrazione@midi-makers.com and we will delete the data immediately.
12. Updates to This Policy
    We may update this policy at any time. For significant changes, we will notify waitlist members by email at least 14 days before the changes take effect. Continued use of the Site after the effective date constitutes acceptance of the updated policy.